Active Directory – infiniteloop.io

Active Directory UserAccountControl Details

Posted on October 17, 2019October 17, 2019 The LooperPosted in Active Directory, Powershell

Reference: https://support.microsoft.com/en-us/help/305144/how-to-use-useraccountcontrol-to-manipulate-user-account-properties

Server 2019 Domain Controller Replication – Unlucky Timing

Posted on April 4, 2019April 5, 2019 The LooperPosted in Active Directory, Powershell, Windows Server

Take a domain running multiple versions of Windows domain controllers across multiple AD sites and replicating just fine, add Server 2019 as a DC to the mix, and what do you get? Say it with me now “DCs mostly replicating just fine but KCC re-evaluated connections and one DC is now spamming event 1645 and […]

Domain Controller Granular Event Log Delegation

Posted on March 23, 2019March 30, 2019 The LooperPosted in Active Directory, Microsoft, Powershell

So you’ve combed through 7 year old TechNet forum posts, cursed the limitations of Event Log Readers group when trying to use Get-WinEvent, and then tried to decipher SDDL to no avail. A treatment for all those woes:

function Add-EventLogAccess {
    [cmdletbinding(supportsshouldprocess=$true)]
    param(
      [ValidateScript({Get-ADObject -ld "(samaccountname=$_)"})]
      [string]$Identity,
      [ValidateSet('Application','Security','System')]
      [string]$LogName,
      [ValidateSet('RO','RW')]
      [string]$Permission
    )

  try{
    #get original permissions in SDDL format
    $origValue = ((wevtutil.exe gl $LogName | ? {$_ -match '^channelAccess'}) -split ': ')[-1].trim()

    #create new SDDL syntax
    switch($Permission){
      'RO' {$PermissionHex = '0x1'}
      'RW' {$PermissionHex = '0x3'}
    }
    
    $ADsid = (Get-ADObject -ld "(samaccountname=$Identity)" -prop ObjectSid).ObjectSid.Value
    if($origValue -match $ADsid){write-host "$ADsid already set in SDDL, manual inspection required`nCurrent Value: $origValue" -f yellow; return}
    
    $newValue = "$origValue(A;;$PermissionHex;;;$ADsid)”
    write-host "CustomSD original value:  $origValue"
    write-host "CustomSD new value:  $newValue"
    
    $Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\$logName"
      
    if($PSCmdlet.ShouldProcess("$logname log with value $newValue","Set-ItemProperty")){
      #NOTE removing customSD allows channelaccess to return to default, verified with wevutil.exe gl $LogName
      Set-ItemProperty -Path $path -Name 'CustomSD' -Value $newValue -Type string -ErrorAction Stop -Force 

      $regACL = Get-Acl $Path
      if($regacl.Access | ? {$_.identityreference -like "*$Identity" -and $_.RegistryRights -eq 'ReadKey' -and $_.AccessControlType -eq 'Allow'}){
        write-host "`n$Identity already has ability to read $Path" -f Yellow
      }
      else{
        write-host "`nAdd $Identity permission to $path" -f Green
        $rule = New-Object System.Security.AccessControl.RegistryAccessRule($Identity,'ReadKey','ContainerInherit,ObjectInherit','None','Allow')
        $regACL.AddAccessRule($rule)
        Set-Acl -AclObject $regACL -Path $regACL.Path -ErrorAction Stop
      }
    }
  } 
  catch{
    throw $_
  }

}

Add-EventLogAccess -Identity 'MY_AD_GROUP' -LogName Security -Permission RO

function Add-EventLogAccess {

[cmdletbinding(supportsshouldprocess=$true)]

param(

[ValidateScript({Get-ADObject -ld "(samaccountname=$_)"})]

[string]$Identity,

[ValidateSet('Application','Security','System')]

[string]$LogName,

[ValidateSet('RO','RW')]

[string]$Permission

)

try{

#get original permissions in SDDL format

$origValue = ((wevtutil.exe gl $LogName | ? {$_ -match '^channelAccess'}) -split ': ')[-1].trim()

#create new SDDL syntax

switch($Permission){

'RO' {$PermissionHex = '0x1'}

'RW' {$PermissionHex = '0x3'}

}

$ADsid = (Get-ADObject -ld "(samaccountname=$Identity)" -prop ObjectSid).ObjectSid.Value

if($origValue -match $ADsid){write-host "$ADsid already set in SDDL, manual inspection required`nCurrent Value: $origValue" -f yellow; return}

$newValue = "$origValue(A;;$PermissionHex;;;$ADsid)”

write-host "CustomSD original value: $origValue"

write-host "CustomSD new value: $newValue"

$Path = "HKLM:\SYSTEM\CurrentControlSet\Services\Eventlog\$logName"

if($PSCmdlet.ShouldProcess("$logname log with value $newValue","Set-ItemProperty")){

#NOTE removing customSD allows channelaccess to return to default, verified with wevutil.exe gl $LogName

Set-ItemProperty -Path $path -Name 'CustomSD' -Value $newValue -Type string -ErrorAction Stop -Force

$regACL = Get-Acl $Path

if($regacl.Access | ? {$_.identityreference -like "*$Identity" -and $_.RegistryRights -eq 'ReadKey' -and $_.AccessControlType -eq 'Allow'}){

write-host "`n$Identity already has ability to read $Path" -f Yellow

}

else{

write-host "`nAdd $Identity permission to $path" -f Green

$rule = New-Object System.Security.AccessControl.RegistryAccessRule($Identity,'ReadKey','ContainerInherit,ObjectInherit','None','Allow')

$regACL.AddAccessRule($rule)

Set-Acl -AclObject $regACL -Path $regACL.Path -ErrorAction Stop

}

catch{

throw $_

}

Add-EventLogAccess -Identity 'MY_AD_GROUP' -LogName Security -Permission RO

The basic gist here is that the CustomSD registry value will contain your new permissions and […]

Powershell Dynamic Menu from Object Array

Posted on July 19, 2017May 29, 2019 The LooperPosted in Active Directory, Powershell

Ya know what grinds my gears? Getting a CSV of employees without a unique key column – no samaccountname, UPN, email, DistinguishedName, SID – nothing. Sometimes you’ll even get supplied with a column of <firstname><space><lastname> using 3rd party information that doesn’t mesh with AD info either. Nice. The function below can be used with an […]

Get AD Group Member Details from Trusted Domains

Posted on June 4, 2017July 5, 2017 The LooperPosted in Active Directory, Powershell

The vast majority of active directory powershell cmdlets don’t need any enhancement but there is one in particular that I felt could use an alteration: Get-ADGroupMember. When using this command it will return [Microsoft.ActiveDirectory.Management.ADObject] types which can be thrown to a switch statement depending on objectclass and you will get the object’s home AD info. However, when […]

Add Parent OU in DN and CN Path Format Using Regex Match

Posted on April 24, 2017May 8, 2017 The LooperPosted in Active Directory, Powershell

Yet another solution for grabbing Parent OU paths

$userArr = Get-ADuser -f * -prop CanonicalName

foreach($user in $userArr)
{
  if($matches){$matches.Clear()}
  $user.CanonicalName -match '.*(?=\/)' | Out-Null
  $user | Add-Member -MemberType NoteProperty -Name 'custom_ParentCN' -Value $matches[0] -Force

  if($matches){$matches.Clear()}
  $user.DistinguishedName -match '(?<=,).*' | Out-Null
  $user | Add-Member -MemberType NoteProperty -Name 'custom_ParentDN' -Value $matches[0] -Force
}

$userArr | sort surname | select surname,givenname,custom* | ft -a

$userArr = Get-ADuser -f * -prop CanonicalName

foreach($user in $userArr)

{

if($matches){$matches.Clear()}

$user.CanonicalName -match '.*(?=\/)' | Out-Null

$user | Add-Member -MemberType NoteProperty -Name 'custom_ParentCN' -Value $matches[0] -Force

if($matches){$matches.Clear()}

$user.DistinguishedName -match '(?<=,).*' | Out-Null

$user | Add-Member -MemberType NoteProperty -Name 'custom_ParentDN' -Value $matches[0] -Force

}

$userArr | sort surname | select surname,givenname,custom* | ft -a

Discover Circular AD Group Memberships

Posted on February 1, 2017July 5, 2017 The LooperPosted in Active Directory, Powershell

Might as well have a recursive function in the first post eh? I stumbled across this script to discover circular Active Directory group memberships but was inspired to get a more visual representation after reading the FAQ section. Group membership details used for demonstration: Script output comparison: The script will pull in all AD groups […]